Firewall evaluation by Pro

Hi.I had this discussion in another forum with an informatics engineer,Linux fan,that among other things said to show that Linux is more secure and that "jetico is the only free firewall",so you can't have the security without paying money in Windows.
When i added him a list of other free firewalls,his words were:

"Have you ever tested them? They don't stealth anything.Zone Alarm Free isn't even a firewall.It simply says which packets are dangerous ,but doesn't block them.Trust me ,this is told to you by a security maniac,Kerio Pro or Sygate Pro are those more reliable".

Now,except for the part of Sygate and Kerio being the most reliable,which i think is debatable (Sygate's local proxy hole is still there,it's not exactly the first in leak tests and the default config to leave server rights isn't the best,Kerio is more unstable than others and doesn't perform well in leak tests),i really don't know how to comment it...

I'm clearly not a firewall expert by any stretch of the imagination, but I'd pretty much dismiss his comments on the basis of that statement alone. A focus on supposed stealth misses the point. Stealth doesn't close a closed port tighter, nor does it really render a home user (mind you, a home user with a dynamic IP) safer.

I am certainly no "expert" either, however, I would say that his comments on ZA not blocking packets are complete nonsense. ZA blocks packets fine just like any other respectable firewall. Based on that comment I would have to dismiss his words pretty much too.

"Have you ever tested them? They don't stealth anything.Zone Alarm Free isn't even a firewall.It simply says which packets are dangerous ,but doesn't block them.Trust me ,this is told to you by a security maniac,Kerio Pro or Sygate Pro are those more reliable"

Click to expand...

Eh? Has he run ZoneAlarm(free) with firewall testers such as ShieldsUp!. If he did, he would have noticed ShieldsUp will return with everything stealth and that ZA(free) would have log and blocked the intrusions.

Another "Pro" who doesn't know what what he is talking about. Sorry but I have to slam people who don't have substantial facts to back their claims.

Thank you all for the replys.I am in no way security expert,simply i consider myself a security fan and i am specially interested in firewalls,that's why i have joined this forum in the first place.

When someone "expert" comes and tells you such things,you remain like a stone.It's like a meteorologist telling you "look,the sky is pink,trust me,i know".To such statements,i don't know how someone can reply without being rude.So i really was interested in the way you would approach the issue...

Initially he said that Jetico is the only Free firewall in Windows,but so difficult to setup that IPtables is preferable.

So then i replied him that out of my head,there were also
-Zone Alarm Free
-Sygate Free
-Kerio 2.1.5 (together with CHX-I as packet filter for the fragmented UDP packets that pass through Kerio 2,is still a very light setup)
-Kerio 4 Free (heavy,but with IDS too,a version of snort adapted to Windows,rather badly though)
-NetVeda Free
-Ghostwall (without application filtering,but very light,you choose only ports and protocols like with Firestarter(IPTables) in LInux)
-Secure Point
-Soft Perfect
-Filseclab (a bit high CPU usage).
-Look 'n' Stop Lite (although i don't like it personally)

His reply was the one i posted in the first post.I really couldn't beleive my eyes.Although i m no expert,i have tried all of them and with most ,you were at least stealthed.

I could only reply to him in this way yesterday:

I completely disagree.About Sygate and Kerio there is much to discuss about what is intended by "reliability".The fact remains,that for me there are still many valid free firewalls and that ZAF is one of them (and it blocks malign packages and stealths although stealthing is not a panacea).To say that they don't stealth and ZA doesn't block the malign packages is an unheard thing.Sygate with the big local proxy hole,is much more unreliable for a user that ignores the existance of this vulnerability.

Then,addressing another forumer,he continued with another "weird" statement:

"The free firewall tests in Windows,say the contrary.I have a friend that works in $$$ (a mobile phone company),security sector.He doesn't trust anything other than Kerio Pro.You know how such things are,he understands some things..."

My reply was :

"Seen the long list of bugfixes in Kerio 4 and the pittyful results in leaktests,i am surprised.Some times,appearences deceive and the "experts" find surprises before them.Give him this link to read:

And to see what has changed from one release to the other.He will feel fortunate that he was using it all this time without incidents.Because as stability,it isn't the maximum.And firewall that crashes isn't a firewall.

I really don't know how one must reply to someone that comes as "expert" and says such things and then he throws onto the table yet another "expert" (his friend),even bigger than himself.Then you hear about "tests of free firewalls in Windows" that show how poor firewalls are.I am not aware of any such tests.Maybe someone among you is?

Also given the fact that i use ZAF,i should have been hacked by now

You all claim that you are no experts,but i would take your opinion over his,any day.Some people are so bloated with arrogance that they don't see their poor knowledge preparation.

In deed dear Kerodo.In deed.Apart the statements about free firewalls not stealthing,ZA not being a firewall etc,i am even surprised of how 2 "great" security experts are so fond of the bloatware called Kerio 4.Not only it have a series of instability issues(the latest release fixed a crash,the GUI freezing at high connection numbers is still there,several vulnerability bulletins etc),but one thing that i was always curious about Kerio 4,was the fact that it was easily identifiable from the outside.

If i remember correctly ,the 2 ports that are used by the firewall engine for module comunication, in a port scan naturally appear not stealthed and given that are standard ports,they inform the attacker that the victim is running Kerio.This alone,IMHO,is a minus in security.

I have been in the Kerio forum since the early betas and finally abbandoned the try at about 4.0.16,because it was unbearable as firewall ,but it is also remarkable,how many bugs were found and fixed thanks to other early forum members there like Graham and Matunga,that i admire for their patience.But having watched the evolution of this firewall for quite sometime,i wouldn't dream to call it reliable until 4.2.And still has problems.

Well, guys, have you ever read a newsgroup 'comp.security.firewalls' ?

There is one 'pro' Volker Birk and few others, spamming in almost any thread made about XP SP2 firewall is only needed. A solid advice for anyone wanting to know nothing about security and protects inbound. But spam to me those replies

BTW Sygate forum is back now. Red Jack emailed me so I posted there a reply.

In Kerio 4, GUI freeze is helped by not enabling the right click option 'resolve address'. Not that I experienced that ever, but some do. I got a few BSOD's though so now I am back to Sygate.

EDIT: Leaktester site results maybe not run with Kerio application blocking feature of full usage and Sygate with DLL auth enabled. Old results I think.

In Kerio 4, GUI freeze is helped by not enabling the right click option 'resolve address'. Not that I experienced that ever, but some do.

Click to expand...

I know...It's one of the oldest and unresolved problems of Kerio and that is a bypass not a solution.In order to see it you need many connections,like p2p.It would eat 100% of my CPU.Even with disabled the "resolve address",i had serious performance hit.I read it has been improved in the latest release(if you continue disabling the resolve address).But these aren't signs of a stable firewall.

The Leaktester results are indeed a bit old,from Kerio 4.1.1.But his friend hasn't started using it yesterday,so they still show something.Also ironically,the latest ZA vulnerability (that a malware could use the browser to get out),was found by the users of Kerio forum to be valid also for Kerio 4...

Yes, it's comp.security.firewalls. Volker is quite a character. And pretty annoying too. He would have you believe that all personal firewalls are snake oil and completely useless, and that the only thing you ought to use is the XP Firewall. Most of his posts are truly like spam..

Best policy to survive on NG is not to feed guys like Volcker, they just relish and thrive on un-necessary arguments without logic and only go to aggravate you.

Click to expand...

Arup,you just gave me an idea!I think i ll feed him to Volcker Imagine the situation.From one side this Volcker that claims only Win firewall is necessary.From the other side ,this other guy (Italian) that claims that free Windows firewalls don't strealth,aren't real firewalls,refuses to buy the "garbage" that is WindowsXP and that thinks that Linux firewall rulez.Then all i ' d have to do is subscribe that newsgroup,take my popcorn and enjoy the slaughter

Trust me ,this is told to you by a security maniac,Kerio Pro or Sygate Pro are those more reliable".

Click to expand...

Rather missing the point as others have pointed out - though if he has a router, online steath testing sites will end up testing that instead (this may be where he is getting confused - if his router is not set up properly, then he will fail online tests regardless of personal firewall configuration).

Indeed, Windows is better served than Linux in the firewall arena in my view. Linux's IPtables/chains is a good packet filter, but does not allow for application level filtering (e.g. allowing Konqueror HTTP access but blocking any other browser). So far, I have only seen one application for Linux (TuxGuardian) providing this option, which is considered a basic feature in the Windows firewall world.

Once ad/spyware starts to become an issue in Linux, then this picture should change rapidly, but currently Windows is the target of choice for "professional" malware writers and therefore has more security software to counter them.

Indeed, Windows is better served than Linux in the firewall arena in my view. Linux's IPtables/chains is a good packet filter, but does not allow for application level filtering (e.g. allowing Konqueror HTTP access but blocking any other browser). So far, I have only seen one application for Linux (TuxGuardian) providing this option, which is considered a basic feature in the Windows firewall world.

Click to expand...

Of course that is your opinion! Hardened Linux firewalls, such as Astaro, Checkpoint, Sidewinder, ect... are some of the best server based firewalls that present technology has to offer. And speaking of whether it should be better suited in a windows enviornment (based on a exploited OS with holes) compared to a hardened linux system is like comparing Apples and Oranges! I personaly own Astaro and must say that I have port 80 blocked on all clients and have the option to allow only certaint browsers access. Protecting the clients (windows) with their own layered security apps is another matter, beyond the scope of this conversation. I would trust my system(s) any day to a highly rated/praised ipchain firewall than a router that has the purpose of NAT and relaying!

"I have tested it myself,a few versions ago,when with a sniffer i saw passing packets that should NOT have passed,towards an IP,that resolved to the contrary (i imagine means reverse lookup) was the one of a games company.And just imagine,i was playing a game of the same software company at that moment...
Sygate later told me that the application was trying to access the net.From that moment i have never used ZA since".

IMHO,either he has discovered a big vulnerability hole in ZA or more likely,he hadn't setup/configured correctly the firewall.

Of course that is your opinion! Hardened Linux firewalls, such as Astaro, Checkpoint, Sidewinder, ect... are some of the best server based firewalls that present technology has to offer.

Click to expand...

The topic being discussed was that of personal firewalls rather than server-based ones. My comment about the lack of application-filtering applies just as much (if not more so) to server based firewalls though, since they have no way of determining what process on the client machine is making a network connection.

However to be "the best", a firewall needs to be running on the most secure OS and this would be OpenBSD rather than Linux.

Jazzie1 said:

And speaking of whether it should be better suited in a windows enviornment (based on a exploited OS with holes) compared to a hardened linux system is like comparing Apples and Oranges! I personaly own Astaro and must say that I have port 80 blocked on all clients and have the option to allow only certaint browsers access.

Click to expand...

And how does Astaro identify browsers? The only way for a remote system to do this is by checking the user-agent ID, which can easily be spoofed by malware (or web filtering proxies like Proxomitron). It may therefore suffice to block certain browsers but cannot be used to provide reliable protection against malware phoning home.

Jazzie1 said:

Protecting the clients (windows) with their own layered security apps is another matter, beyond the scope of this conversation. I would trust my system(s) any day to a highly rated/praised ipchain firewall than a router that has the purpose of NAT and relaying!

Click to expand...

Client side firewalls seem to be the topic discussed in that newsgroup thread. For home or business users, an extra firewall offering NAT and filtering unsolicited incoming traffic is certainly a bonus, but cannot provide the outbound control that a decent personal firewall with application control can.

Arup,you just gave me an idea!I think i ll feed him to Volcker Imagine the situation.From one side this Volcker that claims only Win firewall is necessary.From the other side ,this other guy (Italian) that claims that free Windows firewalls don't strealth,aren't real firewalls,refuses to buy the "garbage" that is WindowsXP and that thinks that Linux firewall rulez.Then all i ' d have to do is subscribe that newsgroup,take my popcorn and enjoy the slaughter

Click to expand...

Indeed, all these people mentioned are nothing as compared to the real 'experts' in this thread who all agree they are dumb.

Indeed, all these people mentioned are nothing as compared to the real 'experts' in this thread who all agree they are dumb

Click to expand...

I ll tell you what.Real experts,use arguments and/or proof to support what they say and then leave to the others the judgement.Eventually the arguments of the one side will be more logical than the other and the level of knowledge of each side will show.Those that simply say "Trust me,cause i know,i am a security maniac" are just arrogant.

i think the thing we need to question here is the users curiosity...and we all know that curiosity killed the cat and in this case ur computer.
dont go looking for trouble.(saying)
half the time a computer is compromised by p2p..now im not saying to not use p2p although it is illegal depending what u are downloading. but viruses/trojans/malware call it what u want dont just end up on ur pc one morning. the user has to interact with the computer..go to these dodgy sites..either looking to boot people off chat rooms or playing with stupid client trojans programs to get a thrill.
but in some cases trouble comes looking for u.

the base of it all is to have a solid Operating system.
and because linux is not widely used hackers will always try to compromise the popular ie windows.
so yeah get ur self a linux distro(be warned its not that straight foward)

However to be "the best", a firewall needs to be running on the most secure OS and this would be OpenBSD rather than Linux.

Click to expand...

That again is your opinion! You were comparing windows firewalls to Linux based... I never stated that Linux is the most secure. I stated is was securer than Windows and the leaders (Checkpoint/Astaro/Sidewinder) user those platforms..

And how does Astaro identify browsers? The only way for a remote system to do this is by checking the user-agent ID, which can easily be spoofed by malware (or web filtering proxies like Proxomitron). It may therefore suffice to block certain browsers but cannot be used to provide reliable protection against malware phoning home.

Click to expand...

Even though this is not fool proof, it can be done. I trust my network users, like I said before, that is not the job of the fw anyways (being server based) it is the job of the clients with extra security apps. And that I control what ports are accessed and how...

Client side firewalls seem to be the topic discussed in that newsgroup thread. For home or business users, an extra firewall offering NAT and filtering unsolicited incoming traffic is certainly a bonus, but cannot provide the outbound control that a decent personal firewall with application control can.

Click to expand...

this depends on how you connect to the server. If you use a proxy and disable most all outbound ports, but let's say port 8080 for certaint clients, than your battle is allready won. I can control what clients have what services/ports open. (meaning everything DNS, HTTP, HTTPS, POP and SMTP is proxied!)

but cannot provide the outbound control that a decent personal firewall with application control can

Click to expand...

This again is illusionary. Like passing all leak test(s)! I believe that fw developers that try to persue the cat and mouse game of offering a fw that passes all supposive leak tests are just pressured into that from their customers. In a real time, real world situation, a forced entry or attack would be handled quite differently than that of does this app call out/home or is my system compromised because it executed and nothing on my system told me so....

If you use a proxy and disable most all outbound ports, but let's say port 8080 for certaint clients, than your battle is allready won. I can control what clients have what services/ports open. (meaning everything DNS, HTTP, HTTPS, POP and SMTP is proxied!)

Click to expand...

Yes, you can control how clients connect to the Internet - but not what data is sent or the program that sends it. If you have decent client-side security to control which applications can send out data, that can counter malware attempts to phone home. A proxy server on its own cannot provide such control - the best it can do is block access to known malware domains/IP addresses.

Jazzie1 said:

This again is illusionary. Like passing all leak test(s)! I believe that fw developers that try to persue the cat and mouse game of offering a fw that passes all supposive leak tests are just pressured into that from their customers. In a real time, real world situation, a forced entry or attack would be handled quite differently than that of does this app call out/home or is my system compromised because it executed and nothing on my system told me so....

Click to expand...

Malware using leaktests techniques is a reality (see Firewallleaktester: In the Wild for some examples). Firewalls blocking such techniques is also a reality. Where exactly is the illusion here?

Malware using leaktests techniques is a reality (see Firewallleaktester: In the Wild for some examples). Firewalls blocking such techniques is also a reality. Where exactly is the illusion here?

Click to expand...

Just listing that link isn't proof that these attacks are being used. If you follow the examples provided you will find that many don't follow the definition of 'launcher' 'substitution' etc that the author has given. It's evident he/she was finding it difficult to find any real examples of malware using leaktest techniques, hence the reason for the poor examples listed.